From ed263d4a380036b654525ee268db615c17d0d216 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Fri, 11 Dec 2020 18:28:32 +0100
Subject: test suite: supply our own OpenSSL configuration file with
 MinProtocol=None.

So we can test TLSv1 as well, not just TLSv1.2 and later.

Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration
file (the default as of 2.3.11.3), hence running TLS tests now require
Dovecot 2.3 or later.
---
 Changelog                     |  6 ++++++
 tests/config/dovecot/ssl.conf |  1 +
 tests/config/openssl.cnf      | 14 ++++++++++++++
 tests/run                     |  4 +++-
 tests/starttls/t              |  2 +-
 tests/tls-verify-peer/t       |  2 +-
 tests/tls/t                   |  2 +-
 7 files changed, 27 insertions(+), 4 deletions(-)
 create mode 100644 tests/config/openssl.cnf

diff --git a/Changelog b/Changelog
index e21ccf7..01e272c 100644
--- a/Changelog
+++ b/Changelog
@@ -9,6 +9,12 @@ interimap (0.5.5) upstream;
  - libinterimap: use Net::SSLeay::get_version() to get the protocol
    version string.
  - test suite: `mv tests/snippets tests/config`
+ - test suite: supply our own OpenSSL configuration file with
+   MinProtocol=None so we can test TLSv1 as well, not just TLSv1.2 and
+   later.
+ - test suite: explicitly set ssl_min_protocol=TLSv1 in the Dovecot
+   configuration file (the default as of 2.3.11.3), hence running TLS
+   tests now require Dovecot 2.3 or later.
 
  -- Guilhem Moulin <guilhem@fripost.org>  Fri, 11 Dec 2020 14:55:53 +0100
 
diff --git a/tests/config/dovecot/ssl.conf b/tests/config/dovecot/ssl.conf
index 2d68c80..3fd99d5 100644
--- a/tests/config/dovecot/ssl.conf
+++ b/tests/config/dovecot/ssl.conf
@@ -2,3 +2,4 @@ ssl = required
 ssl_cert = <dovecot.rsa.crt
 ssl_key = <dovecot.rsa.key
 ssl_dh = <dhparams.pem
+ssl_min_protocol = TLSv1
diff --git a/tests/config/openssl.cnf b/tests/config/openssl.cnf
new file mode 100644
index 0000000..980097d
--- /dev/null
+++ b/tests/config/openssl.cnf
@@ -0,0 +1,14 @@
+# as we want to test TLSv1 we need to set MinProtocol=None, see
+# see /usr/share/doc/libssl1.1/NEWS.Debian.gz
+
+openssl_conf = default_conf
+
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = None
+CipherString = DEFAULT
diff --git a/tests/run b/tests/run
index 994c257..29384ec 100755
--- a/tests/run
+++ b/tests/run
@@ -57,11 +57,13 @@ mkdir -- "$TMPDIR" "$ROOTDIR/home"
 declare -a REMOTES=()
 
 # Set environment for the given user
+OPENSSL_CONF="$BASEDIR/config/openssl.cnf"
 environ_set() {
     local user="$1" home
     eval home="\$HOME_$user"
     ENVIRON=(
         PATH="$PATH"
+        OPENSSL_CONF="$OPENSSL_CONF"
         USER="$user"
         HOME="$home"
         XDG_CONFIG_HOME="$home/.config"
@@ -443,7 +445,7 @@ passed() {
 # Run test in a sub-shell
 declare -a ENVIRON=()
 environ_set "local"
-export TMPDIR TESTDIR STDERR "${ENVIRON[@]}"
+export TMPDIR TESTDIR STDERR "${ENVIRON[@]}" OPENSSL_CONF
 export -f environ_set doveadm interimap interimap_init pullimap _interimap_cmd
 export -f sqlite3 sample_message deliver ptree_abort step_start step_done passed
 export -f check_mailbox_status check_mailbox_status_values check_mailbox_status2
diff --git a/tests/starttls/t b/tests/starttls/t
index 55caf99..62b2151 100644
--- a/tests/starttls/t
+++ b/tests/starttls/t
@@ -22,7 +22,7 @@ grep -Fx "remote: C: 000000 STARTTLS"   <"$STDERR" || error
 grep -Fx "remote: C: 000001 CAPABILITY" <"$STDERR" || error
 
 grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
-grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
+grep "^remote: SSL protocol: TLSv" <"$STDERR" || error
 grep "^remote: SSL cipher: " <"$STDERR" || error
 
 check_mailbox_status "INBOX"
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 2461a1f..17018a6 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -31,7 +31,7 @@ verified_peer() {
     [ -s "$TMPDIR/preverify" ] || error
     ! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error
 
-    grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
+    grep "^remote: SSL protocol: TLSv" <"$STDERR" || error
     grep "^remote: SSL cipher: " <"$STDERR" || error
 
     check_mailbox_status "INBOX"
diff --git a/tests/tls/t b/tests/tls/t
index 76f7c14..a674b28 100644
--- a/tests/tls/t
+++ b/tests/tls/t
@@ -9,7 +9,7 @@ done
 
 interimap --debug || error
 grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
-grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
+grep "^remote: SSL protocol: TLSv" <"$STDERR" || error
 grep "^remote: SSL cipher: " <"$STDERR" || error
 
 check_mailbox_status "INBOX"
-- 
cgit v1.2.3